FBI Hacked While Congress Ponders Cybersecurity Legislation

Director of National Intelligence James Clapper (C) looks up while flanked by FBI Director Robert Mueller (L) and CIA Director David Petraeus (R) as they testify before a Senate (Select) Intelligence hearing on "World Wide Threats" on Capitol Hill in Washington

At a rare open hearing of the Senate Select Committee on Intelligence last week, FBI Director Robert Mueller testified that threats from cyber-espionage and cyber-attacks will surpass terrorism as the number one threat facing the United States.

“Stopping terrorists is the number one priority,” said Mueller. “But down the road, the cyber threat will be the number one threat to the country. I do not think today it is necessarily [the] number one threat, but it will be tomorrow.”

Not three days later, hackers released a recording of an intercepted call between FBI agents and their U.K. counterparts investigating the Anonymous and LulzSec collectives. Some have speculated this means that at least one person at the FBI has had their email compromised.

An annoyed FBI confirmed the eavesdropping to the AP and said it was mounting an investigation. It’s no wonder they see cyber-attacks as a number one threat.

Congress is similarly concerned about the seemingly growing number of cyber-threats, and both the House and Senate are working on comprehensive cybersecurity legislation. The House Committee on Homeland Security marked up cybersecurity legislation on Wednesday, and the Senate plans to consider a new comprehensive bill later this month.

But what can congress do to improve cybersecurity? One line of thinking reportedly embodied by the Senate legislation, though details of that bill are not yet available, would tell network owners how to protect their systems. The Department of Homeland Security would be charged with creating security rules and punishing companies that did not comply. Such a prescriptive approach may not be very helpful, however.

For one thing, infrastructure owners have invested billions in their systems and don’t want to see them compromised any more than the government does. As a result, it’s not clear that they’re not already securing their networks as best they can. But even assuming they need an extra incentive, a prescriptive approach could dampen innovation. That is, if you have to secure your network one way to meet regulatory requirements, you have little incentive to investigate other untried but potentially promising alternatives.

More importantly, though, is that there’s no evidence that government will know how to secure networks better than the private sector. A recent report by the Ponemon Institute found that all sectors of the economy are vulnerable to cybersecurity vulnerabilities. Asked which sector is the most vulnerable, chairman and founder Lawrence Ponemon said it was government.

“In our study the most vulnerable in terms of failure to detect big problems, A-number-one is the U.S. government and government generally speaking, including states and municipalities,” he said.

The bipartisan approach moving forward in the House, on the other hand, takes a different approach. At the center of the PRECISE Act is the creation of a non-profit National Information Sharing Organization (NISO) that would serve as a clearinghouse for the voluntary exchange of cybersecurity threat information between government and industry. Under the NISO umbrella, as long as they only share information for cybersecurity purposes, industry and government would be exempt from privacy laws that today restrict collaboration.

“There is widespread agreement that ISPs and other operators of computer networks need clearer legal authority in order to be able to share with each other–and with the government–signatures and other information about suspected attacks on their networks,” says Greg Nojeim, senior counsel at the Center for Democracy and Technology. “However, since we are talking about privately-owned and operated networks that carry personal communications, any sharing of information must be carefully controlled.”

He says that a private non-profit organization would create fewer privacy risks than a government-run information sharing hub.

Yet despite the progress in both the House and Senate, and President Obama calling for cybersecurity legislation in his recent State of the Union address, it’s not clear we will see a bill pass this year. The gulf between the House and Senate versions seem quite large, and in a presidential election year, a divided Congress will likely leave tough decisions until next year.